A Commitment Scheme with Output Locality-3 Fit for the IoT Device

Low output locality is a property of functions, in which every output bit depends on a small number of input bits. In IoTdevices with only a fragile CPU, it is important for many IoTdevices to cooperate to execute a single function. In such IoT’s collaborative work, a feature of low output locality is very useful. +is is why it is desirable to reconstruct cryptographic primitives with low output locality. However, until now, commitment with a constant low output locality has been constructed by using strong randomness extractors from a nonconstant-output-locality collision-resistant hash function. In this paper, we construct a commitment scheme with output locality-3 from a constant-output-locality collision-resistant hash function for the first time.We prove the computational hiding property of our commitment by the decisional (M, δ)-bSVP assumption and prove the computational binding property by the (M, δ)-bSVP assumption, respectively. Furthermore, we prove that the (M, δ)-bSVP assumption can be reduced to the decisional (M, δ)-bSVP assumption. We also give a parameter suggestion for our commitment scheme with the 128 bit security.


Introduction
e computational complexity of cryptographic primitives is a fundamental problem in the construction of highly efficient and secure protocols [1,2]. In ITCS 2017, Applebaum et al. achieved pioneering results for low-complexity cryptographic constructions of fundamental primitives [3]. eir technique provides a general framework for converting relatively high-complexity cryptographic functions to lowcomplexity ones, including one-way and pseudorandom functions of low output localities. Furthermore, Applebaum et al. proposed constructions for collision-resistant hash functions of a constant output locality from computationally hard problems of lattices and multivariate polynomials [4]. Interestingly, one of their collision-resistant hash functions with low output locality relies on the hardness assumption of the lattice problem called (M, δ)-bSVP assumption. e output locality is a natural complexity measure of computational efficiency for Boolean functions. It is known that a Boolean function has output locality k if each output bit depends on a maximum of k input bits. It is obvious that low-output locality functions are implementable by lowdepth circuits, implying high parallelizability. In extreme cases, if a function has a constant output locality, it can be decomposed into smaller functions computed using constant-depth circuits in parallel. In IoT devices with only a fragile CPU, it is difficult to execute a single rather large function. For this reason, it is important for many IoT devices to cooperate to execute a single function. In such IoT's collaborative work, the decomposition property into smaller functions is very useful. Low-depth cryptographic functions play crucial roles in certain protocols as well as IoT devices. For example, the bootstrapping method requires a low-depth decryption function as in lattice-based fully homomorphic public-key encryption [5].
ere are several quantum-resistant cryptosystems, such as homogeneous cryptosystems and lattice cryptosystems. Output locality is a technology that encourages collaborative work on cryptography. In particular, the construction of cryptographic primitives that are secure against quantum cryptography and satisfy output locality is significant for the widespread use of IoT devices. is paper aims to construct cryptographic primitives that have output locality and are secure against quantum cryptography.
On the contrary, a commitment scheme is a fundamental protocol and a key building block of basic cryptographic tasks such as zero-knowledge identification [6]. e scheme is conducted between two parties (i.e., a sender and a receiver) through commitment and decommitment phases. In the commitment phase, the sender converts a message into a commitment string and sends it to the receiver. en, in the decommitment phase, the sender sends the decommitment string where the message is embedded, which allows the receiver to verify if the commitment string was indeed generated from the message or not. A commitment scheme's security is formalized based on two properties: the hiding property and the binding property. e hiding property guarantees that no receiver can receive partial information of messages before the decommitment phase. Simultaneously, the binding property ensures that no sender can choose one of more than two candidate messages by switching the decommitment strings in the decommitment phase. e related work is as follows. Note that neither standard commitment schemes such as Pedersen [7] nor Halevi-Micali [8] have low output localities. To achieve a commitment scheme with low output locality, two approaches have been investigated until now. One is proposed in [3], where a transformation from collision-resistant hash functions to commitment schemes that preserve low output locality by using strong randomness extractors in order to obtain the hiding property is provided. eir commitment schemes using this general transformation satisfy the output locality of four.
Another one is to avoid using such strong randomness extractors and to construct a commitment scheme directly from a hash function [9,10], which are our preliminary works. Remark that, in [9], it only proves that the output locality is smaller than the input length, and in [10], it is only claimed that the hiding property is based on the decisional (M, δ)-bSVP assumption, whereas no concrete proof was given nor the relation between the decisional (M, δ)-bSVP assumption and (M, δ)-bSVP assumption was shown. In other words, no secure commitment with output locality-3 has been proposed so far without using strong randomness extractors.
Our contributions are as follows. In this paper, we propose a commitment scheme with an output locality of three for the first time. Our construction does not use strong randomness extractors. We construct a commitment scheme directly from a collision-resistant hash function in NC 0 without using a strong randomness extractor. We prove its computational hiding property and its computational binding property by using the decisional (M, δ)-bSVP assumption and (M, δ)-bSVP assumption, respectively. Furthermore, we prove that the (M, δ)-bSVP assumption can be reduced to the decisional (M, δ)-bSVP assumption.
To construct such a commitment scheme, we focus on two primitives. e first is a commitment scheme from the short integer solution (SIS) problem [11].
is scheme makes use of a lattice-based collision-resistant hash function of a "matrix-vector multiplication" form, i.e., y � M · x for a matrix M ∈ Z m×n q , and a vector x ∈ Z n 2 . Our commitment also follows such a simple construction. As for the latticebased collision-resistant hash function of low output locality, we use the next primitive of a function f(x) � M · ex(x), where ex is an expanding function that dilutes the Hamming weight on the input x to achieve collision-resistant properties from the intractability of bSVP [3].
en, a randomized encoding technique [4] is applied to the function f(x) to achieve low output locality. Here, a randomized encoding of f(x) is a randomized mapping f(x, r) that generates an output distribution dependent only on f(x).
Compared to previous works [10] in CANDAR 2020, this paper is the full version of the paper presented at CANDAR 2020. In our preliminary work [10], we have constructed a commitment scheme with output locality-3. However, it does not include any security consideration. In this article, we reconstruct a commitment scheme with output locality-3 based on the (M, δ)-bSVP assumption and decisional (M, δ)-bSVP assumption. We describe what we have achieved in this paper in the following: (i) Prove that the (M, δ)-bSVP assumption can be reduced to the decisional (M, δ)-bSVP assumption (ii) Prove that our commitment scheme satisfies the computational binding property based on the (M, δ)-bSVP assumption and satisfies the computational hiding property based on the decisional (M, δ)-bSVP assumption (iii) Compare our commitment scheme with other previous studies Roadmap: the remainder of this paper is organized as follows. Section 2 summarizes the commitment scheme, the hash function, and the output locality. Section 3 describes the building blocks of our construction. en, we present our commitment scheme in Section 4. In Section 5, we suggest the parameter of our commitment scheme. Finally, we conclude our work in Section 6.

Preliminaries
First, we summarize the notations used in this paper.
Definition 1 (commitment scheme). A commitment scheme, Comm(S, R), is a two-phase protocol between two probabilistic polynomial-time parties S and R, which are called the sender and receiver, respectively.
During the first phase (commitment phase), S commits string a to a pair of keys (com, dec) by executing (com, dec)←S(1 k , pp). en, S sends com (commitment string) to R.
During the second phase (decommitment phase), S sends the keys dec (decommitment string) with a to R. en, R verifies whether the decommitment string is valid by executing R(com, dec). If invalid, R(com, dec) outputs a special string, ⊥, meaning that R rejects the decommitment of S. Otherwise, R(com, dec) can efficiently compute the string a revealed by S and verifies whether a was indeed chosen by S during the first phase.
In the following discussion, we provide the security notions of the commitment scheme Comm(S, R).
Definition 2 (computational binding property; see [8]). We state that Comm(S, R) is computationally binding if it is computationally infeasible to generate a commitment string com and two decommitment strings, dec, dec ′ (dec ≠ dec ′ ), such that R will compute a message a from (com, dec) and a different message a ′ from (com, dec). In detail, for every probabilistic polynomial-time adversary S ′ (1 k , pp), the following occurs: where ε(k) is a negligible function of k. We then say that the commitment scheme Comm(S, R) is computationally binding.

Definition 3 (computational hiding property). A commitment scheme Comm(S, R)
is computationally hiding if for every probabilistic polynomial-time party R com , it satisfies where pp is a public parameter generated randomly according to the commitment scheme and y i is a commitment string generated from pp and x i by S for random x i sampled from an unknown distribution to R com (i � 1, 2). e computational security of a commitment scheme in this study uses the following assumption.
Definition 4 ((M, δ)-bSVP assumption; see [3]). For a weight parameter, δ(n), δ: N ⟶ (0, 1/2), and an efficient sampler M(1 n ) that samples m × n binary matrices, the (M, δ)-bSVP assumption asserts that, for every efficient algorithm Adv, the probability is given by We introduce a feature of the output locality. We start from the definition of a hash function. A hash function converts input bits of arbitrary length into compressed output bits of shorter lengths. We define the collision resistance of a hash function in Definition 5.
Definition 5 (collision resistance). We have an arbitrary probabilistic polynomial algorithm, Adv, given a description of the hash function and length parameter as inputs. If the probability of Adv that outputs x, Next, we define the output locality.
Definition 6 (output locality). We say that the function h has output locality d if each of the output bits depends on at most d input bits.
Finally, we define perfect randomized encoding (PRE). PRE is a technique that can make the output locality a constant.
Definition 7 (perfect randomized encoding; see [3]). Let We say that a function there exist an efficient decoding algorithm C and a randomized simulator S that satisfy the following: Security and Communication Networks (ii) Perfect privacy: for every x ∈ 0, 1 { } n , the distribution f(x; r) induced by a uniform choice of { } s (iv) Length preserving: the difference between the output length and the total input length of the encoding s − (n + m) is equal to the difference l − n between the output length and the input length of f

Building Blocks
In this section, we first define an expanding function ex [3] in Section 3.1. e expanding function is created for the function to apply the (M, δ)-bSVP assumption. We then show an example of PRE and how to make the output locality constant by using PRE in Section 3.2. We also show how to gain f(x) from encoded function f(x), which is called perfect correctness in PRE.

Expand Function ex.
We give one expanding function ex used in eorem 4, where ex is a function of 0, 1 { } k ⟶ 0, 1 { } n that dilutes the relative Hamming weight of the input bits. In order to satisfy the (M, δ)-bSVP assumption, the relative Hamming weight β of the outputs of ex(x) has to satisfy β ≤ δ/2(δ ∈ (0, 1/2)).
Next, we will explain how the function ex expands the input bits. First, we divide k bit blocks to k/d bit blocks, in which each bit block has d bits, as shown in Figure 1. We execute a function ex0 to each of the d bit blocks, where ex0 expands d bit blocks to c bit blocks, shown in Algorithm 1.
en, every block of the output of ex0 is concatenated as an output of ex (c · (k/d) � n). e whole algorithm of ex is given in Algorithm 2. e feature of ex is given in Lemma 1.

for every x, and (3) ex has output locality d.
In this study, the hash function H Mex uses an expanding function defined in Lemma 1.

Construction of PRE.
We give one construction of PRE for a given function f: F n 2 ⟶ F 2 in 1.
Construction 1 (see [1]). Let f be a function f: F n 2 ⟶ F 2 . en, we separate f(x) to v functions T 1 , . . . , T v : F n 2 ⟶ F 2 as follows: where T j (x) can be written by monomial (j � 1, . . . , v). For r 1 , . . . , r v , r 1 ′ , . . . , r v− 1 ′ ∈ F 2 , we define a function f: 4 where v � 3 and n � 4. en, f can be encoded as the following equation: Equation (7) is an example of 1. Denote by C(z) adding all bits in z over F 2 . en, we can gain f(x) from f(x) by using C as follows: It satisfies "perfect correctness" since C(f(x)) � f(x). From the example of equation (7), the output locality of function f(x) can be reduced to a constant by using PRE. A quantitative evaluation of the output locality is given in Lemma 2.
Lemma 2 (see [1]). Let f: F n 2 ⟶ F 2 be a function. en, let f be given as in 1

Proposed Commitment Scheme
In this section, we propose a commitment scheme Comm Mex (S, R) which is constructed by using ex and H Mex . e hash function H Mex is PRE of H Mex . We define the decisional (M, δ)-bSVP assumption and show that the (M, δ)-bSVP assumption can be reduced to the decisional (M, δ)-bSVP assumption. Furthermore, we show that our proposed commitment scheme satisfies the binding property and hiding property. statistically hiding commitment scheme with output locality-4 from their collision-resistant hash function under the (M, δ)-bSVP assumption. eir commitment scheme executes a hash function based on a randomness extractor and an ordinary hash function with output locality-4. As a result, two hash functions are required. Furthermore, the randomness extractor is the universal hash function family, so it requires additional random bits to choose a function from the function family. Here, additional bits correspond to the input of the hash function.
On the contrary, our commitment scheme has to only execute an ordinary hash function once. Compared with their commitment scheme, our scheme is more efficient. Furthermore, our commitment scheme achieves output locality-3 by introducing the new notion of decisional (M, δ)-bSVP assumption.

Decisional (M, δ)-bSVP Assumption. We introduce a new notion of decisional (M, δ)-bSVP assumption, which is a decisional version of the (M, δ)-bSVP assumption defined in Definition 4.
Definition 8 (decisional (M, δ)-bSVP assumption). For a weight parameter δ(n): N ⟶ (0, 1/2), a uniform distribution U ∈ Z m 2 , and an efficient sampler M(1 n ) that samples m × n binary matrices, the decisional (M, δ)-bSVP assumption asserts that, for any polynomial algorithm Adv and for every x ∈ 0, 1 { } n where δ ≤ Δ(x) ≤ 1 − δ, We show that the (M, δ)-bSVP assumption can be reduced to the decisional (M, δ)-bSVP assumption by referring to the methodology presented in Lemma 4.2 of [13], where Decision LWE is reduced to Search LWE. Proof. Let D be a distinguisher which distinguishes an element sampled from the (M, δ)-bSVP distribution or sampled from a uniform distribution U. en, we construct D ′ which finds x ∈ Z n 2 of Mx. We first show how D ′ finds x 1 ∈ Z 2 which denotes the first coordinate of x. e remaining coordinates can be recovered by the same way.
Given an input of D ′ , A � (M, y), where y is selected from an (M, δ)-bSVP distribution. e input of D can be defined as follows. Let x be denoted as x � [x 1 , . . . , x n ] and M be denoted by the following equation: en, y � Mx ∈ F m 2 can be written as

Security and Communication Networks
For randomly chosen k ∈ Z 2 and l i1 ∈ Z 2 (i � 1, . . . , m), compute a pair Denote the value obtained in equation (12) as then y ′ can be written as the following equation: Since equation (13) can be expressed in the form y ′ � M ′ x, D can distinguish that equation (13) is contained in the (M, δ)-bSVP distribution. en, D can distinguish that A ′ is in the (M, δ)-bSVP distribution. In contrast, if k ≠ x 1 , then y ′ will be expressed as which is clearly not a sample from the (M, δ)-bSVP distribution. en, D can distinguish that A ′ is in the uniform distribution. Finally, D ′ outputs k � x 1 if D outputs (M, δ)-bSVP distribution. On the contrary, D ′ outputs k � x 1 if D outputs uniform distribution.
All other remaining coordinates in x can be recovered in the same way. erefore, D ′ can output x by using D with nonnegligible probability.
From the contraposition of eorem 1, we can get Corollary 1.

A Hash Function H Mex for the Commitment Scheme.
We first explain a hash function H Mex [3], containing a matrix MM and an expand function ex, as shown in Algorithm 3. en, we show the hash function H Mex which is PRE of H Mex .
We consider the matrix M as follows: We show the output locality of H Mex in eorem 3.

Theorem 3. H Mex has 3 output localities.
Proof. Let us investigate the output locality of H Mex . From the structure of Algorithm 4, the maximum number of input bits on which the output bits depend is 3. erefore, the output locality of H Mex is 3. Next, let us discuss the collision resistance of H Mex . If a function satisfies the collision resistance, then its PRE also satisfies the collision resistance [1]. Applebaum et al. proved the collision resistance of H Mex . erefore, the collision resistance of H Mex follows from [1]. e collision resistance of H Mex is described in Lemma 3.  (S, R). We show the commitment scheme Comm Mex (S, R) based on H Mex , which consists of initialization, a commitment phase, and a decommitment phase. In this construction, we use the same matrix M, but we can also refresh a matrix M in a certain period, and the computational binding property and computational hiding property also hold using refreshed matrix M. Comm Mex (S, R):

Commitment Scheme Comm Mex
Security and Communication Networks Before the commitment phase, both S and R share the following information: Commitment phase by S: (1) Choose a random number r ∈ 0, 1 { } k/2 as the key of the hash functions (2) Choose a message string a ∈ 0, 1 { } k/2 , and concatenate a and r as x � a‖r com(a, r, t) � H Mex (a, r, t ′ ) as a commitment string com Decommitment phase from S to R: S executes the following: (1) S sends (a, r) ∈ 0, 1 { } k/2 × 0, 1 { } k/2 and t ∈ 0, 1 { } nm to R as a decommitment string dec R executes the following: (1) Compute x � a‖r from dec.
(3) Compute the commitment string H Mex (a, r, t) and check whether H Mex (a, r, t) � com. If this is satisfied, R outputs a. Otherwise, R outputs ⊥.
Next, we prove the computational binding property and computational hiding property of Comm Mex (S, R). We first show the computational binding property. Proof. We assume that there exists a probabilistic polynomial-time (PPT) adversary Adv that breaks the computational binding property of the commitment scheme Comm Mex (S, R).
en, Adv can derive the following equation, with nonnegligible function ε ′ (k) from Definition 2.

) Partition k-bit inputs into k/d input blocks of d bits each
(2) Apply ex0 to each input block, and generate k/d output blocks of c bits Input: end if (12) end for (13) end for (14) return y ALGORITHM 4: Algorithm of H Mex .

Security and Communication Networks 7
is shows that if PPT Adv can break the computational binding property, it can also break the collision resistance of H Mex from equation (18). However, we showed that H Mex has a collision resistance under the (M, δ)-bSVP assumption in Lemma 3. erefore, the commitment scheme Comm Mex (S, R) satisfies the computational binding property under the (M, δ)-bSVP assumption based on the contradiction.
Next, we will prove the computational hiding property of Comm Mex (S, R). Proof. We assume that there exists a probabilistic polynomial-time adversary Adv that breaks the computational hiding property of Comm Mex (S, R). For some distinct a, a ′ ∈ 0, 1 { } k/2 , r, r ′ ∈ 0, 1 { } k/2 , t, t ′ ∈ 0, 1 { } nm , and some nonnegligible function ε ′ , we can derive the following equation: Since the decoding procedure C of PRE is a polynomialtime algorithm, there exists a polynomial-time adversary Adv′, which is a composition of the decoding procedure and Adv such that By the hybrid argument, for some a, Since r is uniformly random over 0, 1 { } k/2 , for every a ∈ 0, 1 { } k/2 , we have Δ(a‖r) ∈ (1/8, 7/8), and hence, Δ(ex(a‖r)) ∈ (d/(8c), 7 d/(8c)) for a constant c/d � n/k with probability 1 − exp(− Ω(k)) from the Chernoff bounds.   are also based on lattice-based functions and consist of "matrix-vector multiplication" in the same way as us.
A commitment scheme [KTX08] can prove its hiding property statistically and its binding property by the SIS problem. However, it did not achieve constant output locality. A commitment scheme [BDLOP18] can prove its hiding property and binding property by DKS and SKS problems, respectively. Nevertheless, it also did not achieve constant output locality.
On the contrary, the commitment scheme [AHIKV17] has achieved output locality-4 with its statistically hiding property and its binding property based on the (M, δ)-bSVP assumption (bSVP). However, their commitment scheme was to execute hash functions twice with a randomness extractor. It was also difficult to construct a commitment scheme with output locality-3 by using a randomness extractor.
Our commitment scheme Comm Mex (S, R) satisfies output locality-3 by proving its hiding property and binding property by the decisional (M, δ)-bSVP assumption (D-bSVP) and (M, δ)-bSVP assumption (bSVP), respectively. Our commitment scheme only executes the hash function H Mex once and does not use a randomness extractor.

Parameter Suggestion for Comm Mex (S, R)
is section suggests some parameter settings of Comm Mex (S, R) under evaluation based on the short integer solution (SIS) problem in Definition 9.
Definition 9 (SIS q,m,b ; see [11]). Given a prime q, a positive number b, and a matrix MA ∈ Z n×m q , the short integer solution (SIS q,m,b ) problem is to find a nonzero vector z ∈ Z m such that Az ≡ 0(modq) and ‖z‖ ≤ b.
Let M be a matrix in F m×n 2 . Under the condition of Δ(x) ≤ δ, the (M, δ)-bSVP can be reduced to a SIS q,m,b problem in the lattice spanned by vectors in Ker(M), where q � 2 and b � ��� � n · δ √ , namely, to solve our scheme is reduced to find a short vector v(‖v‖ ≤ ‖x‖) in a lattice L � v ∈ Z n : Mv � 0(mod2) { }. Denote the norm of the shortest nonzero vector b 1 in ML and the second shortest vector independent with b 1 by λ 1 and λ 2 , respectively. We estimate parameters as follows: (1) Estimation of δ: ����� n/2πe √ · 2 m/n by Gaussian heuristic, where the volume of lattice ML is vol(L) � 2 m and e is the mathematical constant. (c) Denote by α � m/n and δ < α/2 because of the algebraic attack due to [3]. α shows the ratio between input length and output length. erefore, we can get a bound of δ ≤ 0.07 and 0.14 ≤ α by λ 1 /λ 2 < 1.0 according to the definition of λ 1 and λ 2 above.
(2) Evaluate the asymptotic complexity to solve a SVP by using Alkim et al.'s estimate proposed in [15], and it had been experimentally verified in [16]. We heuristically set n � m/α, α � 5 · δ, and δ ≤ 0.07. en, we input the parameters of (m, n, δ, q � 2); Alkim et al.'s estimate can evaluate the minimal β BKZ which means the target block size used in the lattice reduction algorithm BKZ [17].
Please refer to [18] for a lucid explanation of Alkim et al.'s estimate. We consider the scenario that one hashes 128 bit information, namely, we fix m � 128 in the estimate. Table 2 shows parameter suggestions of our scheme Comm(S, R com ) with respect to security levels of NIST AES-128, AES-192, and AES-256, where β BKZ is the required block size when using the BKZ algorithm to solve (M, δ)-bSVP. e security levels of "AES-128," "AES-192," and "AES-256" refer to three categories in the NIST PQC standardization project [19] in that the brute force attack on AES key search requires at least 2 143 , 2 207 , and 2 272 classical computing gates, respectively.

Concluding Remarks
In this paper, we achieved the following: (i) We proposed a new output locality-3 commitment scheme (ii) We proved that the (M, δ)-bSVP assumption is reduced to the decisional (M, δ)-bSVP assumption (iii) We proved that its computational binding property and computational hiding property are reduced to the (M, δ)-bSVP assumption and decisional (M, δ)-bSVP assumption, respectively (iv) We evaluated a secure parameter set against the short integer solution (SIS) problem Generally, it is easy to build protocols based on the decisional (M, δ)-bSVP assumption compared with the (M, δ)-bSVP assumption. erefore, our proof would shed light on the new construction of protocols whose security is based on the decisional (M, δ)-bSVP assumption. Also, our method can be used with IoT devices with small CPUs since our method satisfies constant output locality and can be achieved in smaller CPUs. However, it is expected to achieve an output locality-3 commitment scheme with statistical hiding, which is considered an open problem in this work.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this article.